Azure Governance
Azure Governance is a portfolio of platform capabilities that helps customers address the need for control at scale without sacrificing developer agility. This includes services like Azure Policy, Azure Blueprints, Azure Resource Graph & Management Groups.
More details about the services are available in the Azure Governance documentation. If you have a technical issue, please open a post on the developer forums through Stack Overflow.
Products that we listen to in this space include: Azure Policy, Azure Blueprints, Azure Resource Graph, Azure Subscriptions and Azure Management Groups
-
Prevent Owner role unless MFA enabled
We have a requirement to ensure all Owners have MFA enabled, using Conditional access policies we can only assign Global Admins not Owners, so would appreciate a way within a management group to ensure the "owner" of the subscription has MFA enabled, which we could assign by policy instead of audit, adding enforce MFA for Owner
3 votesI am going to move this item to Azure Policy as this would be something they could enforce on the MG scope.
-
Option to delete non-blueprint RBAC Assignment when blueprint is assigned
In a case where membership needed to be strictly controlled, the Blueprint configuration should offer an "Overwrite" option. This would remove any accounts manually added and block any accounts from being manually added.
Overwrite Scenario
Config
• Account Admin role on a Subscription 1 has Amber and Brian.
• Blueprint defines the members of the Account Admin role as Amber and Chuck and is assigned to Management Group A.
Result
• When Subscription 1 is moved to Management Group A the members of the Account Admin role is updated to Amber and Chuck3 votes -
azure policy check string length
It would be great if there will be in future a possibility to check the length of the resource Name at the deployment.
So it would be much easier to Control the naming convention for a resource.
3 votesSupport for length is coming soon (along with there: https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-template-functions-string)
-Liz
-
Parameters Concatenation
I have a naming policy for resource type and i am naming it at a category level. I.e
If Resource is of type CDN or Network then name should be CLIENT1-DEV-INT-<nameofresource>
else If the Resource is of type AppFunction, AppService then name should be CLIENT1-DEV-WEB-<nameofresource>
etc.So this Policy will be massive and having multiple clients I need to introduce a parameter to cover for first bit to be same i.e instead of hard coding CLIENT1-DEV I use parameter and make policy general and use CONCATENATION in the LIKE portion of policy like below.
{
"policyRule": {
"if": {
"not":…3 votes -
Create additional policy condition of 'inCaseSensitive' to validate case-senstive match in the Array
Request to have the policy condition similar to 'in' for an Array to have an additional policy condition of 'inCaseSensitive' (or similar) to validate the value in the array is an exact, case-sensitive match.
2 votes -
Azure Policy - Based on delete action
Like to setup the Azure policy based on the delete action .
ex:
{
"source": "action",
"equals": "Microsoft.Network/expressRouteCircuits/*/delete"
},
"then": {
"effect": "deny"
}2 votes -
Azure Policy Allow field to equal null
I really need the ability to check that a field is null. In my case I want to Deny leaving an email address blank. To force people to fill in Vulnerability assessments reports and email them.
2 votes -
Exclude resource groups and/or resources when deploying a blueprint like you can with policy assignments under policy.
Exclude resource groups and/or resources when deploying a blueprint like you can with policy assignments under policy.
2 votes -
Function to get the properties of the assigned blueprint definition
It would be useful when you could get (with a function) the properties, like the version or name, of the blueprint definition during an assignment.
This way you could for example use this information in ARM artifact the information to tag the resources which a created by the blueprint assignment with the name and version number of the blueprint definition. So you would see directly form which blueprint definition and which version a resource was created.2 votes -
Add support for principalName in Microsoft.Authorization/roleAssignments resource type
Our organization use various naming conventions to differentiate between security groups with members with various types of clearances, between security groups with static memberships and just-in-time memberships, and high- and low-security service principals. Since we have hundreds of subscriptions and thus thousands of groups and users, the current aliases available in the Microsoft.Authorization namespace do not give us the ability to write all the policies we would like. Adding support for a Microsoft.Authorization/roleAssignments/principalName alias would enable us to write policies like:
- Prevent adding a security group designated as one with static membership as Owner on the subscription
- Prevent…2 votes -
Resource Changes: Track resource move
Create a change log when a resource is moved to a different resource group and maintain its history from before it moved
2 votes -
Ability to Integrate Depedency mapping in Azure Resource Graph with integration to Visio/Microsoft Graph or Security Center
Ability to integrate Azure Resource Graph Dependency and Discovery mapping results in Log Analytics (Log analytics (Service Map or Security Center) / Visio or Microsoft Graph (PaaS).
When moving resources from Resource Group to another Resource Group, most of the time it's difficult to get an overview of any backend dependencies. When performing a Move operation, a post check will be done, and if by any chance, a discrepancy is found, the Move operation will quit and display the failure in a RAW message format.
It would be great to have these backend dependencies visible by using the Resource Graph…
2 votesThis is in our future roadmap.
-
Warn when results are truncated in Search-AzGraph
Currently, when a you run a query via Search-AzGraph but don't specify the -First parameter, the results are limited to the first 100 items (see https://github.com/Azure/azure-powershell/blob/master/src/ResourceGraph/ResourceGraph/Cmdlets/SearchAzureRmGraph.cs for source code details).
Whilst the reasoning behind limiting the results is fully understood (a select everything across all subscriptions is obviously going to return a large result set!) it should at very least result in a warning when results are truncated.
As a secondary but related suggestion, I would also like to see the same warning be surfaced when the -First parameter *is* supplied but the result set is larger than the chosen…
2 votes -
Add additional strongTypes for Blueprint
Please add the following strongTypes that are supported by Azure Policy:
storageSkus
vmSKUs
existingResourceGroups
omsWorkspaceAdditionally, I would like the following:
existingVNETs - displays existing Virtual Networks
existingVNETSubnets - displays exiting VNET Subnets2 votes -
Add support in ARM template to validate values in an object
I would like to be able to validate certain values that are a part of an object in a parameter file. In the same way that it's possible to do this with simple strings or to validate that a object specified in the parameter file matches one of the objects in "allowedValues" for the object in the templates parameter section. Currently I'll have to specify all possible variants of an object and that isn't feasible if I want to validate more than two-three values that might have 3 or more values that should be allowed. It's also not possible to…
2 votes -
Allow a Blueprint or ARM Template Item timeout limit to be set
I have a Blueprint defined which has a purpose of provisioning a complete infrastructure but it is timing out due to one of its components being an ASE.
The overall template is based on the ISO 27001 foundation as supplied by MS but does a few other tings too, including deploying an Application Service Environment.
It all progresses nicely to a point - the components are all there and the ASE is undergoing provisioning however, it eventually throws an error with:
'Template' failed to deploy. Exceeded maximum wait time of '02:00:00'. Message: 'Deployment didn't get into terminal status within the…
2 votes -
Azure Blueprint (policy assignment) - Tag value should accept null values so we can put the tag later on.
Azure Blueprint (policy assignment) - Tag value should accept null values. For example, we want to put 'function' tag in each VM and function can be app, db, ad etc. If we put 'app' as a value then all the VMs will have the same tag. We want to be 'function' tag there but we want to put the value at the time of creation as per the role of VM.
Another one, Azure Blueprint (policy assignment). When we delete the blueprint, the blueprint got deleted but the policy does not get deleted. In this case, we have to delete…
2 votes -
Azure Blueprints sample for Service Fabric Cluster
It would be great to have a sample Azure Blueprints for stamping out different Service Fabric clusters. Unfortunately I haven't managed to find a sample online and tried to create one manually but failed as I am totally new to Azure and there are way too many pieces required for a putting together an Azure Blueprints for a secured multi-node type Service Fabric cluster.
2 votes -
Add "evaluate" booleans to Azure Policy ARM schema definitions
If you are working with policies, and have existing parameters and rules file from working with CLI / PowerShell, then you cannot copy and paste the JSON into the policyRule and parameters properties in Microsoft.Authorization/oplicyDefinitions. It will error and is very gard to workaround.
I suggest adding evaluatePolicyRule and evaluateParameters booleans, both defaulting to false. Also an evaluate boolean that sets both of the above, also defaulting to false.
2 votes -
Add "evaluate" booleans to Azure Policy ARM schema definitions
If you are working with policies, and have existing parameters and rules file from working with CLI / PowerShell, then you cannot copy and paste the JSON into the policyRule and parameters properties in Microsoft.Authorization/oplicyDefinitions. It will error.
I suggest adding evaluatePolicyRule and evaluateParameters booleans, both defaulting to false. Also an evaluate boolean that sets both of the above, also defaulting to false.
The tags.initiative.json shows my workaround, but it is very ugly. The tags.initiative.2.json file shows how I think it could and should look.
2 votes
- Don't see your idea?